Some Facebook users gleefully exploited a security flaw in Facebook’s mechanism for reporting inappropriate or offensive images posted on the social networking site to access and publish Facebook CEO Mark Zuckerberg’s private photos. Facebook moved quickly to close the hole.

On 27 November, an anonymous poster on Web forum bodybuilding.com listed step-by-step instructions on how to access photos uploaded by other Facebook users, even if the images had been locked as private. Thirteen pictures grabbed from Zuckerberg’s account and marked private were posted on Imgur photo sharing site and shared widely on Twitter.

Unsecured feature

When a user flags an image on another user’s profile as containing nudity or adult content using the self-reporting system, the tool offers an option of “selecting additional photos to include with your report”, according to the instructions posted on the I teach you how to view private Facebook photos post.

If the user wants to select additional photos, Facebook displayed an album containing additional photos that could be flagged, many of which had been marked as private when uploaded by the user. The forum thread also discussed ways the user can resize and enlarge the photos available.

Facebook has now closed the security hole.

“Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously,” Facebook said in a statement. The bug was a result of a “recent code push” and was live for only a “limited period of time”, the company said.

“Not all content was accessible, rather a small number of one’s photos,” Facebook said, adding that only a limited number of users were affected. The company did not disclose how many people may have been affected by the exploit. Users are not notified who flagged their images using the tool, and they would not be able to tell that someone had used the exploit to view their private photos.

The exploit does not appear to have worked consistently, as the reporting tool did not always display the “additional photos” option to users, and not all the images that were in the album had been private, according to the forum thread.

Picture perfect again

The reporting tool has been disabled, and Facebook “will only return functionality once we can confirm the bug has been fixed,” Facebook said. The company also reaffirmed its commitment to data privacy, and that the integrity of user data was the company’s “top priority”.

The anonymous poster who found the flaw told the Wall Street Journal the flaw was discovered by accident. “This is simply terrible programming on Facebook’s part,” the poster told the Journal, adding it is, “inexcusable considering how many engineers and Web developers they have working for them”.

This is not the first time someone used a Facebook exploit to go after the CEO. In January, a hacker posted a message that appeared to be from Zuckerberg that suggested the company look to its own users to raise funds instead of going to the banks.

The timing of this attack is unfortunate, as just a few days ago, Facebook settled with the US Federal Trade Commission on charges of misleading users about how their personal information would be used. The settlement requires Facebook “to establish and maintain a comprehensive privacy programme” that would be subject to regular audits by a third-party for the next 20 years, the FTC said.